How to Block Ransomware in Windows 10 with Controlled Folder Access
Ransomware — software that scrambles files and demands a payment before unscrambling — has become quite the rage. Windows 10 takes measures to block ransomware on your device. While, it’s an easy way for Script Kiddies to monetize their malware, it’s definitely a situation no Windows 10 user wants to find herself in.
Microsoft has come up with a way to preemptively block many kinds of ransomware by simply restricting access to folders that contain files the ransomware may want to zap.
There’s just one problem. Restricting, or controlling, folder access is a pain in the neck — it blocks every program unless you specifically give a specific program access. So, for example, you can turn off access to your Documents folder but allow access to Word and Excel. That may work well until you want to run Notepad on a file in the Documents folder. Oh-oh.
That’s the reason why Microsoft doesn’t turn on Controlled Folder Access (CFA) by default. If you really, really want CFA, you have to dig deep and find it. If you do make the effort, the monkey’s on your back to (1) stick CFA on all the right folders and (2) allowlist any program that may need to use files in the CFAs folders.
To enable CFA, you need to jump through the following hoops:
Click Yes when asked if you want to allow the app to make changes to your device. The CFA settings screen appears.
Realize that ransomware frequently attacks files in other locations.
The Windows 10 folder is added to the allowlist.
We have tested Controlled Folder Access against ransomware samples. The good news is that Controlled Folder Access achieved what it was designed to do; successfully block ransomware from encrypting files located in protected folders.
The bad news is that while your protected folders are safe, other non-protected folders will still be encrypted, ransom notes will still be displayed, and other behavior will still continue.
This is because Controlled Folder Access is not designed to terminate detected ransomware, but rather protect a folder from ANY unauthorized modifications. This includes any program not in a white list, which could be 3rd party text editors, word processing applications, or photo editing programs.
Also, while testing Controlled Folder Access, an interesting side-effect was discovered when folders are whitelisted in Windows Defender. When executables are located in a whitelisted folder and attempt to modify a file in a protected folder, Controlled Folder Access will block the modification, but not display a toast alert notifying you that the program was blocked.
While we highly recommend that everyone use Controlled Folder Access, it should not be considered a full-fledged anti-ransomware feature, but more like a data protection feature. While in some ways this is the same, in many ways it is different.
„Ransomware is more about manipulating vulnerabilities in human psychology than the adversary's technological sophistication.“